You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What happened:
Grype/Syft do not detect CVE-2024-23639 a vulnerability of the Micronaut framework for Java/Kotlin
What you expected to happen:
The Micronaut component to be listed by Syft and recognized as vulnerable by Grype for CVE-2024-23639
How to reproduce it (as minimally and precisely as possible):
You could probably test it on any old publicly accessible image with micronaut
Example: grype schnatterer/micronaut-getting-started:latest
If I write out an SBOM, and edit it so that the PURL on this package has the correct group ID (pkg:maven/io.micronaut/micronaut-http-server@3.8.2), then grype reports the CVE correct.
What happened:
Grype/Syft do not detect CVE-2024-23639 a vulnerability of the Micronaut framework for Java/Kotlin
What you expected to happen:
The Micronaut component to be listed by Syft and recognized as vulnerable by Grype for CVE-2024-23639
How to reproduce it (as minimally and precisely as possible):
You could probably test it on any old publicly accessible image with micronaut
Example:
grype schnatterer/micronaut-getting-started:latest
Anything else we need to know?:
Environment:
Output of
grype version
:Application: grype
Version: 0.74.6
BuildDate: 2024-02-14T22:19:32Z
GitCommit: b9cf0e5
GitDescription: v0.74.6
Platform: darwin/arm64
GoVersion: go1.21.7
Compiler: gc
Syft Version: v0.105.0
Supported DB Schema: 5
OS (e.g:
cat /etc/os-release
or similar):MacOS
The text was updated successfully, but these errors were encountered: